feat(abs): add more possible resolv.conf path in nameservice.

Used a lot by debian.
2025-01-18 00:48:10 +01:00 · 2023-11-13 19:32:04 +00:00 · 2023-11-13 19:32:04 +00:00 · 6f98bb9bfb
commit 6f98bb9bfb
parent 5a3dface8e
10 changed files with 2 additions and 12 deletions
--- a/apparmor.d/abstractions/nameservice-strict
+++ b/apparmor.d/abstractions/nameservice-strict
@ -23,6 +23,8 @@
  /var/lib/extrausers/passwd r,

  @{run}/nscd/db* r,
+  @{run}/resolvconf/resolv.conf r,
+  @{run}/systemd/resolve/resolv.conf r,
  @{run}/systemd/resolve/stub-resolv.conf r,

  # NSS records from systemd-userdbd.service
--- a/apparmor.d/groups/apt/apt-methods-http
+++ b/apparmor.d/groups/apt/apt-methods-http
@ -70,7 +70,6 @@ profile apt-methods-http @{exec_path} {
  owner /tmp/apt-changelog-*/*.changelog rw,

  @{run}/ubuntu-advantage/aptnews.json rw,
-  @{run}/resolvconf/resolv.conf r,

  @{PROC}/1/cgroup r,
  @{PROC}/@{pid}/cgroup r,
--- a/apparmor.d/groups/apt/unattended-upgrade
+++ b/apparmor.d/groups/apt/unattended-upgrade
@ -114,7 +114,6 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
  /var/log/apt/{term,history}.log w,
  /var/log/apt/eipp.log.xz w,

-        @{run}/resolvconf/resolv.conf r,
        @{run}/systemd/inhibit/[0-9]*.ref rw,
  owner @{run}/unattended-upgrades.lock rwk,
  owner @{run}/unattended-upgrades.pid rw,
--- a/apparmor.d/groups/ssh/sshd
+++ b/apparmor.d/groups/ssh/sshd
@ -93,7 +93,6 @@ profile sshd @{exec_path} flags=(attach_disconnected) {
        @{run}/motd.d/{,*} r,
        @{run}/motd.dynamic rw,
        @{run}/motd.dynamic.new rw,
-        @{run}/resolvconf/resolv.conf r,
        @{run}/systemd/notify w,
        @{run}/systemd/sessions/*.ref rw,
  owner @{run}/sshd{,.init}.pid wl,
--- a/apparmor.d/profiles-a-f/agetty
+++ b/apparmor.d/profiles-a-f/agetty
@ -33,7 +33,6 @@ profile agetty @{exec_path} {
  /etc/os-release r,
  /usr/etc/login.defs r,

-        @{run}/resolvconf/resolv.conf r,
  owner @{run}/agetty.reload rw,

        /dev/tty@{int}   rw,
--- a/apparmor.d/profiles-a-f/etckeeper
+++ b/apparmor.d/profiles-a-f/etckeeper
@ -57,8 +57,6 @@ profile etckeeper @{exec_path} {
  owner @{HOME}/.netrc r,
  owner @{user_config_dirs}/git/{,*} rw,

-  @{run}/resolvconf/resolv.conf r,
-
  owner /tmp/etckeeper-git* rw,

  owner @{PROC}/@{pid}/fd/ r,
--- a/apparmor.d/profiles-a-f/fail2ban-server
+++ b/apparmor.d/profiles-a-f/fail2ban-server
@ -35,7 +35,6 @@ profile fail2ban-server @{exec_path} flags=(attach_disconnected) {

  @{run}/fail2ban/fail2ban.pid rw,
  @{run}/fail2ban/fail2ban.sock rw,
-  @{run}/resolvconf/resolv.conf r,

  owner @{PROC}/@{pid}/fd/ r,

--- a/apparmor.d/profiles-g-l/hostname
+++ b/apparmor.d/profiles-g-l/hostname
@ -20,8 +20,6 @@ profile hostname @{exec_path} {

  @{exec_path} mr,

-  @{run}/resolvconf/resolv.conf r,
-
  deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,

  include if exists <local/hostname>
--- a/apparmor.d/profiles-m-r/nullmailer-send
+++ b/apparmor.d/profiles-m-r/nullmailer-send
@ -21,7 +21,5 @@ profile nullmailer-send @{exec_path} {

  /var/spool/nullmailer/{,**} rw,

-  @{run}/resolvconf/resolv.conf r,
-
  include if exists <local/nullmailer-send>
 }
--- a/apparmor.d/profiles-s-z/sudo
+++ b/apparmor.d/profiles-s-z/sudo
@ -81,7 +81,6 @@ profile sudo @{exec_path} {

        @{run}/ r,
        @{run}/faillock/{,*} rwk,
-        @{run}/resolvconf/resolv.conf r,
        @{run}/systemd/sessions/* r,
  owner @{run}/sudo/ rw,
  owner @{run}/sudo/ts/ rw,